In a computer telecommunications network, firewalls are known which are used to protect a machine or network from undesired message transmissions. Undesired messages can burden resources such as processing and storage, can affect timely processing of other tasks, and may also be the result of malicious activity by hackers, causing more serious effects such as those caused by viruses, Trojan horses, and worms.
A firewall is typically located at a point of entry into a computer system or network, such as a port or TCP/IP network interface, and scans incoming message traffic by comparing the message traffic to a predetermined criteria. Message traffic matching not matching the predetermined criteria is discarded as undesired.
The criteria employed by a firewall to match and determine whether to accept or reject message traffic typically include parameters such as port numbers, application IDs, source, destination, content filters, IP address, machine names, and TCP/IP flags, and can potentially include many others depending on the complexity to be tolerated and the degree of protection desired. The number of parameters to be matched in determining whether to accept or reject message traffic determines a granularity of protection. Therefore, a firewall having a low granularity of criteria may inadvertently block desired incoming message traffic as undesired, and may not be adequate to protect against some undesired traffic.
Further, telecommunications networks may comprise wired and wireless links. A wireless link is typically provided between a base station processor and a subscriber access unit which exchange messages according to a wireless protocol such as IS—95 or other proprietary wireless protocol. The subscriber access unit is connected to the user computer system or network, and the base station processor is connected to a public access network such as the Internet. In a typical wireless link, a firewall is employed in the subscriber access unit, or in a subsequent gateway into the machine or network to be protected. Alternatively, the firewall may be employed in the computer system defining the access point to the network on the user side of the wireless link.
The wireless link, however, is supported by RF channels, which are a scarce resource that is allocated among many connections supported over the wireless link. Since the firewall is employed on the user side of the wireless link, a message rejected by the firewall has already consumed the wireless resources required to transmit. Accordingly, messages rejected by the firewall tend to waste bandwidth which could be allocated to other connections, can drive up user cost by increasing message transmissions, and tend to slow overall throughput because of the resources required to transmit them over the wireless link.
In other systems, the firewall may be employed on the wired network side of the wireless link, thereby detecting undesired transmissions prior to transmission from the base station processor or other wireless transceiver in communication with the subscriber access unit. However, a typical base station processor typically supports many subscriber access units corresponding to many different users. Therefore, locating the firewall on the base station processor side of the firewall removes wireless burden, but forces all users to conform to the same firewall.
However, different users may wish to protect a network or system according to varying degrees of granularity. One user may wish to reject all transmissions from a particular TCP/IP network address, and another may not. Or a particular user may wish to accept traffic only from a particular subnet address of a network, while another user may wish to accept all transmissions from the network address. Still other users may wish to accept message traffic only destined for a particular port, or application, while others may wish to block incoming connections altogether, and allow only outgoing connections. Various permutations of user granularity may be desired by different users.
Accordingly, it would be beneficial to provide a system and method for protecting a mobile wireless user via a firewall in a wireless network to allows a specific user profile to be provided for each user indicative of a desired firewall configuration corresponding to the mobile user.